inspec 2.2.112 → 2.3.4

data/lib/inspec/plugin/v2/loader.rb

@@ -14,7 +14,6 @@ module Inspec::Plugin::V2
     def initialize(options = {})
       @options = options
       @registry = Inspec::Plugin::V2::Registry.instance
-      determine_plugin_conf_file
       read_conf_file
       unpack_conf_file
 
@@ -25,10 +24,17 @@ module Inspec::Plugin::V2
       # New-style (v2) co-distributed plugins are in lib/plugins,
       # and may be safely loaded
       detect_core_plugins unless options[:omit_core_plugins]
+
+      # Train plugins aren't InSpec plugins (they don't use our API)
+      # but InSpec CLI manages them.  So, we have to wrap them a bit.
+      accommodate_train_plugins
     end
 
     def load_all
-      registry.each do |plugin_name, plugin_details|
+      # Be careful not to actually iterate directly over the registry here;
+      # we want to allow "sidecar loading", in which case a plugin may add an entry to the registry.
+      registry.plugin_names.dup.each do |plugin_name|
+        plugin_details = registry[plugin_name]
         # We want to capture literally any possible exception here, since we are storing them.
         # rubocop: disable Lint/RescueException
         begin
@@ -69,13 +75,44 @@ module Inspec::Plugin::V2
       end
     end
 
+    def activate_mentioned_cli_plugins(cli_args = ARGV)
+      # Get a list of CLI plugin activation hooks
+      registry.find_activators(plugin_type: :cli_command).each do |act|
+        next if act.activated?
+
+        # Decide whether to activate.  Several conditions, so split them out for clarity.
+        # Assume no, to start.  Each condition may flip it true, which will short-circuit
+        # all following ||= ops.
+        activate_me = false
+
+        # If the user invoked `inspec help`, activate all CLI plugins, so they can
+        # display their usage message.
+        activate_me ||= cli_args.first == 'help'
+
+        # Likewise, if they invoked simply `inspec`, they are confused, and need
+        # usage info.
+        activate_me ||= cli_args.empty?
+
+        # If there is anything in the CLI args with the same name, activate it.
+        # This is the expected usual activation for individual plugins.
+        # `inspec dosomething` => activate the :dosomething hook
+        activate_me ||= cli_args.include?(act.activator_name.to_s)
+
+        # OK, activate.
+        if activate_me
+          activate(:cli_command, act.activator_name)
+          act.implementation_class.register_with_thor
+        end
+      end
+    end
+
     def activate(plugin_type, hook_name)
       activator = registry.find_activators(plugin_type: plugin_type, activator_name: hook_name).first
       # We want to capture literally any possible exception here, since we are storing them.
       # rubocop: disable Lint/RescueException
       begin
         impl_class = activator.activation_proc.call
-        activator.activated = true
+        activator.activated?(true)
         activator.implementation_class = impl_class
       rescue Exception => ex
         activator.exception = ex
@@ -84,24 +121,85 @@ module Inspec::Plugin::V2
       # rubocop: enable Lint/RescueException
     end
 
-    def activate_mentioned_cli_plugins(cli_args = ARGV)
-      # Get a list of CLI plugin activation hooks
-      registry.find_activators(plugin_type: :cli_command).each do |act|
-        next if act.activated
-        # If there is anything in the CLI args with the same name, activate it
-        # If the word 'help' appears in the first position, load all CLI plugins
-        if cli_args.include?(act.activator_name.to_s) || cli_args[0] == 'help' || cli_args.size.zero?
-          activate(:cli_command, act.activator_name)
-          act.implementation_class.register_with_thor
-        end
-      end
+    def plugin_gem_path
+      self.class.plugin_gem_path
+    end
+
+    def self.plugin_gem_path
+      # I can't believe there isn't a simpler way of getting this
+      # 2.4.2.p123 => 2.4.0
+      ruby_abi_version = (Gem.ruby_version.segments[0, 2] << 0).join('.')
+      File.join(Inspec.config_dir, 'gems', ruby_abi_version)
+    end
+
+    # Lists all gems found in the plugin_gem_path.
+    # @return [Array[Gem::Specification]] Specs of all gems found.
+    def self.list_managed_gems
+      Dir.glob(File.join(plugin_gem_path, 'specifications', '*.gemspec')).map { |p| Gem::Specification.load(p) }
+    end
+
+    def list_managed_gems
+      self.class.list_managed_gems
+    end
+
+    # Lists all plugin gems found in the plugin_gem_path.
+    # This is simply all gems that begin with train- or inspec-.
+    # @return [Array[Gem::Specification]] Specs of all gems found.
+    def self.list_installed_plugin_gems
+      list_managed_gems.select { |spec| spec.name.match(/^(inspec|train)-/) }
+    end
+
+    def list_installed_plugin_gems
+      self.class.list_managed_gems
+    end
+
+    # TODO: refactor the plugin.json file to have its own class, which Loader consumes
+    def plugin_conf_file_path
+      self.class.plugin_conf_file_path
+    end
+
+    # TODO: refactor the plugin.json file to have its own class, which Loader consumes
+    def self.plugin_conf_file_path
+      File.join(Inspec.config_dir, 'plugins.json')
     end
 
     private
 
+    # 'Activating' a gem adds it to the load path, so 'require "gemname"' will work.
+    # Given a gem name, this activates the gem and all of its dependencies, respecting
+    # version pinning needs.
+    def activate_managed_gems_for_plugin(plugin_gem_name, version_constraint = '> 0')
+      # TODO: enforce first-level version pinning
+      plugin_deps = [Gem::Dependency.new(plugin_gem_name.to_s, version_constraint)]
+      managed_gem_set = Gem::Resolver::VendorSet.new
+      list_managed_gems.each { |spec| managed_gem_set.add_vendor_gem(spec.name, spec.gem_dir) }
+
+      # TODO: Next two lines merge our managed gems with the other gems available
+      # in our "local universe" - which may be the system, or it could be in a Bundler microcosm,
+      # or rbenv, etc. Do we want to merge that, though?
+      distrib_gem_set = Gem::Resolver::CurrentSet.new
+      installed_gem_set = Gem::Resolver.compose_sets(managed_gem_set, distrib_gem_set)
+
+      # So, given what we need, and what we have available, what activations are needed?
+      resolver = Gem::Resolver.new(plugin_deps, installed_gem_set)
+      begin
+        solution = resolver.resolve
+      rescue Gem::UnsatisfiableDependencyError => gem_ex
+        # If you broke your install, or downgraded to a plugin with a bad gemspec, you could get here.
+        ex = Inspec::Plugin::V2::LoadError.new(gem_ex.message)
+        raise ex
+      end
+      solution.each do |activation_request|
+        next if activation_request.full_spec.activated?
+        activation_request.full_spec.activate
+        # TODO: If we are under Bundler, inform it that we loaded a gem
+      end
+    end
+
     def annotate_status_after_loading(plugin_name)
       status = registry[plugin_name]
       return if status.api_generation == 2 # Gen2 have self-annotating superclasses
+      return if status.api_generation == :'train-1' # Train plugins are here as a courtesy, don't poke them
       case status.installation_type
       when :bundle
         annotate_bundle_plugin_status_after_load(plugin_name)
@@ -116,7 +214,7 @@ module Inspec::Plugin::V2
       status = registry[plugin_name]
       status.api_generation = 0
       act = Activator.new
-      act.activated = true
+      act.activated?(true)
       act.plugin_type = :cli_command
       act.plugin_name = plugin_name
       act.activator_name = :default
@@ -133,7 +231,7 @@ module Inspec::Plugin::V2
         File.join(bundle_dir, 'train-*.rb'),
       ]
       Dir.glob(globs).each do |loader_file|
-        name = File.basename(loader_file, '.rb').gsub(/^(inspec|train)-/, '')
+        name = File.basename(loader_file, '.rb').to_sym
         status = Inspec::Plugin::V2::Status.new
         status.name = name
         status.entry_point = loader_file
@@ -143,30 +241,37 @@ module Inspec::Plugin::V2
       end
     end
 
-    def determine_plugin_conf_file
-      @plugin_conf_file_path = ENV['INSPEC_CONFIG_DIR'] ? ENV['INSPEC_CONFIG_DIR'] : File.join(Dir.home, '.inspec')
-      @plugin_conf_file_path = File.join(@plugin_conf_file_path, 'plugins.json')
-    end
-
     def detect_core_plugins
       core_plugins_dir = File.expand_path(File.join(File.dirname(__FILE__), '..', '..', '..', 'plugins'))
       # These are expected to be organized as proper separate projects,
       # with lib/ dirs, etc.
       Dir.glob(File.join(core_plugins_dir, 'inspec-*')).each do |plugin_dir|
         status = Inspec::Plugin::V2::Status.new
-        status.name = File.basename(plugin_dir)
-        status.entry_point = File.join(plugin_dir, 'lib', status.name + '.rb')
-        status.installation_type = :path
+        status.name = File.basename(plugin_dir).to_sym
+        status.entry_point = File.join(plugin_dir, 'lib', status.name.to_s + '.rb')
+        status.installation_type = :core
         status.loaded = false
         registry[status.name.to_sym] = status
       end
     end
 
+    def accommodate_train_plugins
+      registry.plugin_names.map(&:to_s).grep(/^train-/).each do |train_plugin_name|
+        status = registry[train_plugin_name.to_sym]
+        status.api_generation = :'train-1'
+
+        if status.installation_type == :gem
+          # Activate the gem. This allows train to 'require' the gem later.
+          activate_managed_gems_for_plugin(train_plugin_name)
+        end
+      end
+    end
+
     # TODO: DRY up re: Installer read_or_init_config_file
     # TODO: refactor the plugin.json file to have its own class, which Loader consumes
     def read_conf_file
-      if File.exist?(@plugin_conf_file_path)
-        @plugin_file_contents = JSON.parse(File.read(@plugin_conf_file_path))
+      if File.exist?(plugin_conf_file_path)
+        @plugin_file_contents = JSON.parse(File.read(plugin_conf_file_path))
       else
         @plugin_file_contents = {
           'plugins_config_version' => '1.0.0',
@@ -174,19 +279,20 @@ module Inspec::Plugin::V2
         }
       end
     rescue JSON::ParserError => e
-      raise Inspec::Plugin::V2::ConfigError, "Failed to load plugins JSON configuration from #{@plugin_conf_file_path}:\n#{e}"
+      raise Inspec::Plugin::V2::ConfigError, "Failed to load plugins JSON configuration from #{plugin_conf_file_path}:\n#{e}"
     end
 
+    # TODO: refactor the plugin.json file to have its own class, which Loader consumes
     def unpack_conf_file
       validate_conf_file
       @plugin_file_contents['plugins'].each do |plugin_json|
         status = Inspec::Plugin::V2::Status.new
         status.name = plugin_json['name'].to_sym
         status.loaded = false
-        status.installation_type = plugin_json['installation_type'].to_sym || :gem
+        status.installation_type = (plugin_json['installation_type'] || :gem).to_sym
         case status.installation_type
         when :gem
-          status.entry_point = status.name
+          status.entry_point = status.name.to_s
           status.version = plugin_json['version']
         when :path
           status.entry_point = plugin_json['installation_path']
@@ -196,9 +302,10 @@ module Inspec::Plugin::V2
       end
     end
 
+    # TODO: refactor the plugin.json file to have its own class, which Loader consumes
     def validate_conf_file
       unless @plugin_file_contents['plugins_config_version'] == '1.0.0'
-        raise Inspec::Plugin::V2::ConfigError, "Unsupported plugins.json file version #{@plugin_file_contents['plugins_config_version']} at #{@plugin_conf_file_path} - currently support versions: 1.0.0"
+        raise Inspec::Plugin::V2::ConfigError, "Unsupported plugins.json file version #{@plugin_file_contents['plugins_config_version']} at #{plugin_conf_file_path} - currently support versions: 1.0.0"
       end
 
       plugin_entries = @plugin_file_contents['plugins']

data/lib/inspec/plugin/v2/registry.rb

@@ -1,5 +1,7 @@
 require 'forwardable'
 require 'singleton'
+require 'train'
+
 require_relative 'status'
 require_relative 'activator'
 
@@ -25,11 +27,14 @@ module Inspec::Plugin::V2
     end
 
     def loaded_plugin?(name)
-      registry.dig(name, :loaded)
+      # HACK: Status is normally the source of truth for loadedness, unless it is a train plugin; then the Train::Registry is the source of truth.
+      # Also, InSpec registry is keyed on Symbols; Train is keyed on Strings.
+      return registry.dig(name.to_sym, :loaded) unless name.to_s.start_with?('train-')
+      Train::Plugins.registry.key?(name.to_s.sub(/^train-/, ''))
     end
 
     def loaded_count
-      registry.values.select(&:loaded).count
+      loaded_plugin_names.count
     end
 
     def known_count
@@ -37,7 +42,11 @@ module Inspec::Plugin::V2
     end
 
     def loaded_plugin_names
-      registry.values.select(&:loaded).map(&:name)
+      registry.keys.select { |name| loaded_plugin?(name) }
+    end
+
+    def path_based_plugin?(name)
+      known_plugin?(name.to_sym) && registry[name.to_sym].installation_type == :path
     end
 
     def find_status_by_class(klass)
@@ -60,7 +69,7 @@ module Inspec::Plugin::V2
 
     def register(name, status)
       if known_plugin? name
-        Inspec::Log.warn "PluginLoader: refusing to re-register plugin '#{name}': an existing plugin with that name was loaded via #{existing.installation_type}-loading from #{existing.entry_point}"
+        Inspec::Log.debug "PluginLoader: refusing to re-register plugin '#{name}': an existing plugin with that name was loaded via #{registry[name].installation_type}-loading from #{registry[name].entry_point}"
       else
         registry[name.to_sym] = status
       end

data/lib/inspec/profile.rb

@@ -369,7 +369,7 @@ module Inspec
         error.call(sfile, sline, nil, id, 'Avoid controls with empty IDs') if id.nil? or id.empty?
         next if id.start_with? '(generated '
         warn.call(sfile, sline, nil, id, "Control #{id} has no title") if control[:title].to_s.empty?
-        warn.call(sfile, sline, nil, id, "Control #{id} has no description") if control[:desc].to_s.empty?
+        warn.call(sfile, sline, nil, id, "Control #{id} has no descriptions") if control[:descriptions][:default].to_s.empty?
         warn.call(sfile, sline, nil, id, "Control #{id} has impact > 1.0") if control[:impact].to_f > 1.0
         warn.call(sfile, sline, nil, id, "Control #{id} has impact < 0.0") if control[:impact].to_f < 0.0
         warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? or control[:checks].empty?
@@ -561,6 +561,7 @@ module Inspec
       controls[id] = {
         title: rule.title,
         desc: rule.desc,
+        descriptions: rule.descriptions,
         impact: rule.impact,
         refs: rule.ref,
         tags: rule.tag,

data/lib/inspec/reporters/json.rb

@@ -60,7 +60,8 @@ module Inspec::Reporters
         control = {
           id: c[:id],
           title: c[:title],
-          desc: c[:desc],
+          desc: c.dig(:descriptions, :default),
+          descriptions: convert_descriptions(c[:descriptions]),
           impact: c[:impact],
           refs: c[:refs],
           tags: c[:tags],
@@ -116,5 +117,14 @@ module Inspec::Reporters
       end
       profiles
     end
+
+    def convert_descriptions(data)
+      return [] if data.nil?
+      results = []
+      data.each do |label, text|
+        results.push({ label: label.to_s, data: text })
+      end
+      results
+    end
   end
 end

data/lib/inspec/resource.rb

@@ -91,21 +91,12 @@ inspec_core_only = !File.exist?(File.join(File.dirname(__FILE__), '..', 'resourc
 
 # Do not attempt to load cloud resources if we are in inspec-core mode
 unless inspec_core_only
-  # AWS resources are included via their own file,
-  # but only consider loading them if we have the SDK available, and is v2.
-  # https://github.com/inspec/inspec/issues/2571
-  if Gem.loaded_specs.key?('aws-sdk') && Gem.loaded_specs['aws-sdk'].version < Gem::Version.new('3.0.0')
-    require 'resource_support/aws'
-  end
-
-  # Azure resources
-  if Gem.loaded_specs.key?('azure_mgmt_resources')
-    require 'resources/azure/azure_backend.rb'
-    require 'resources/azure/azure_generic_resource.rb'
-    require 'resources/azure/azure_resource_group.rb'
-    require 'resources/azure/azure_virtual_machine.rb'
-    require 'resources/azure/azure_virtual_machine_data_disk.rb'
-  end
+  require 'resource_support/aws'
+  require 'resources/azure/azure_backend.rb'
+  require 'resources/azure/azure_generic_resource.rb'
+  require 'resources/azure/azure_resource_group.rb'
+  require 'resources/azure/azure_virtual_machine.rb'
+  require 'resources/azure/azure_virtual_machine_data_disk.rb'
 end
 
 require 'resources/aide_conf'

data/lib/inspec/rule.rb

@@ -32,7 +32,7 @@ module Inspec
     def initialize(id, profile_id, opts, &block)
       @impact = nil
       @title = nil
-      @desc = nil
+      @descriptions = {}
       @refs = []
       @tags = {}
 
@@ -89,9 +89,18 @@ module Inspec
       @title
     end
 
-    def desc(v = nil)
-      @desc = unindent(v) unless v.nil?
-      @desc
+    def desc(v = nil, data = nil)
+      return @descriptions[:default] if v.nil?
+      if data.nil?
+        @descriptions[:default] = unindent(v)
+      else
+        @descriptions[v.to_sym] = unindent(data)
+      end
+    end
+
+    def descriptions(description_hash = nil)
+      return @descriptions if description_hash.nil?
+      @descriptions.merge!(description_hash)
     end
 
     def ref(ref = nil, opts = {})
@@ -221,11 +230,11 @@ module Inspec
         return
       end
       # merge all fields
-      dst.impact(src.impact) unless src.impact.nil?
-      dst.title(src.title)   unless src.title.nil?
-      dst.desc(src.desc)     unless src.desc.nil?
-      dst.tag(src.tag)       unless src.tag.nil?
-      dst.ref(src.ref)       unless src.ref.nil?
+      dst.impact(src.impact)                 unless src.impact.nil?
+      dst.title(src.title)                   unless src.title.nil?
+      dst.descriptions(src.descriptions)     unless src.descriptions.nil?
+      dst.tag(src.tag)                       unless src.tag.nil?
+      dst.ref(src.ref)                       unless src.ref.nil?
 
       # merge indirect fields
       # checks defined in the source will completely eliminate

data/lib/inspec/runner_rspec.rb

@@ -167,7 +167,7 @@ module Inspec
       metadata[:profile_id] = ::Inspec::Rule.profile_id(rule)
       metadata[:impact] = rule.impact
       metadata[:title] = rule.title
-      metadata[:desc] = rule.desc
+      metadata[:descriptions] = rule.descriptions
       metadata[:code] = rule.instance_variable_get(:@__code)
       metadata[:source_location] = rule.instance_variable_get(:@__source_location)
     end

data/lib/inspec/schema.rb

@@ -84,6 +84,7 @@ module Inspec
         'id' => { 'type' => 'string' },
         'title' => { 'type' => %w{string null} },
         'desc' => { 'type' => %w{string null} },
+        'descriptions' => { 'type' => %w{array} },
         'impact' => { 'type' => 'number' },
         'refs' => REFS,
         'tags' => TAGS,